CVE-2024-55603

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-55603
Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data in a database. Therefore, when a `session_id` is given, kanboard queries the data from the `sessions` sql table. At this point, it does not correctly verify, if a given `session_id` has already exceeded its lifetime (`expires_at`). Thus, a session which's lifetime is already `> time()`, is still queried from the database and hence a valid login. The implemented **SessionHandlerInterface::gc** function, that does remove invalid sessions, is called only **with a certain probability** (_Cleans up expired sessions. Called by `session_start()`, based on `session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime` settings_) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40 Product
https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78 Patch
https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484 Exploit Vendor Advisory
https://www.php.net/manual/en/function.session-start.php Product
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor Product
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime Product
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability Product
https://www.php.net/manual/en/sessionhandlerinterface.gc.php Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*
History

12 Mar 2025, 17:42

Type Values Removed Values Added
CPE cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*
First Time Kanboard kanboard
Kanboard
References () https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40 - () https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40 - Product
References () https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78 - () https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78 - Patch
References () https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484 - () https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484 - Exploit, Vendor Advisory
References () https://www.php.net/manual/en/function.session-start.php - () https://www.php.net/manual/en/function.session-start.php - Product
References () https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor - () https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor - Product
References () https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime - () https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime - Product
References () https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability - () https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability - Product
References () https://www.php.net/manual/en/sessionhandlerinterface.gc.php - () https://www.php.net/manual/en/sessionhandlerinterface.gc.php - Product
Summary
  • (es) Kanboard es un software de gestión de proyectos que se centra en la metodología Kanban. En las versiones afectadas, las sesiones aún se pueden utilizar aunque su vida útil haya excedido. Kanboard implementa un gestionador de sesión personalizado (`app/Core/Session/SessionHandler.php`), para almacenar los datos de la sesión en una base de datos. Por lo tanto, cuando se proporciona un `session_id`, Kanboard consulta los datos de la tabla SQL `sessions`. En este punto, no verifica correctamente si un `session_id` dado ya ha excedido su vida útil (`expires_at`). Por lo tanto, una sesión cuya vida útil ya es `> time()`, aún se consulta desde la base de datos y, por lo tanto, es un inicio de sesión válido. La función **SessionHandlerInterface::gc** implementada, que elimina sesiones no válidas, se llama solo **con cierta probabilidad** (_Limpia sesiones caducadas. Llamada por `session_start()`, basada en las configuraciones `session.gc_divisor`, `session.gc_probability` y `session.gc_maxlifetime`_) de acuerdo con la documentación de php. En la imagen oficial de Docker de Kanboard, estos valores predeterminados son: session.gc_probability=1, session.gc_divisor=1000. Por lo tanto, una sesión caducada solo se termina con una probabilidad de 1/1000. Este problema se ha solucionado en la versión 1.2.43 y se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad.

19 Dec 2024, 00:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-19 00:15

Updated : 2025-03-12 17:42

NVD link : CVE-2024-55603

Mitre link : CVE-2024-55603

CVE.ORG link : CVE-2024-55603

JSON object : View

Products Affected

kanboard

  • kanboard
CWE
CWE-613

Insufficient Session Expiration